Csdn Article Publish(CSDN博客文章发布) Skills
PassAudited by VirusTotal on May 11, 2026.
Overview
Type: OpenClaw Skill Name: csdn-article-publish Version: 0.1.0 The skill bundle is a legitimate tool for managing CSDN blog articles, allowing users to save, update, and publish Markdown content. While it requires sensitive information such as session cookies and API signatures (stored in a local `csdn_config.json`), the core script `scripts/csdn_article.js` communicates exclusively with the official CSDN API endpoint (bizapi.csdn.net). The bundle includes robust local validation logic to prevent malformed requests and provides clear documentation for the user; no evidence of data exfiltration, unauthorized execution, or malicious prompt injection was found.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the local config is exposed or misused, someone could act as the user's CSDN session, including saving, updating, or publishing blog content.
The skill asks the user to copy browser session/authentication headers into a local config file so the script can act on the user's CSDN account. This is purpose-aligned, but it is broad account authority and the registry metadata declares no primary credential or required environment variable.
`Cookie`: 用户登录Cookie ... `x-ca-signature`: 签名 ... `x-ca-key`: API Key
Only use this with an account you are comfortable automating, protect or delete csdn_config.json after use, refresh/revoke the CSDN session if exposed, and prefer a scoped official token flow if CSDN provides one.
A mistaken command, wrong article ID, or premature publish action could update or make public the wrong article.
The skill intentionally exposes operations that can modify or publish account content on CSDN. The documentation is aligned with that purpose and recommends checking drafts, but these are still high-impact actions.
支持...更新文章...发布文章(需额外字段)
Require explicit user confirmation before running publish or update commands, verify article IDs and titles, and use draft mode first.
If the mapping is wrong or tampered with, the agent may update or publish a different CSDN article than intended.
The skill persists a local mapping and can later reuse it to decide which CSDN article to update or publish. This is useful, but stale or edited mappings can affect future actions.
自动维护本地文章映射文件 `csdn_article_map.json`,记录 `file -> articleId -> url`
Inspect csdn_article_map.json before update/publish operations, pass --id explicitly for important changes, and delete incorrect mappings.
Users may not get an install-time warning that the skill requires Node.js and local script execution.
The documented workflow depends on executing bundled Node.js scripts, while the registry metadata lists no required binaries and no install spec. This is not malicious by itself, but it is under-declared runtime behavior.
node {skills目录}/scripts/csdn_article.js saveDeclare Node.js as a required binary and make the local script execution requirement explicit in registry metadata.